Thursday, December 30, 2010

The BBC article doesn't mention it, but it would be helpful to know what personal data is being captured by web-based companies etc. In the wrong hands captured personal data for MSISDN could be used, by pinging from the internet, to cache polled MSISDNs for their IMSIs etc. The equipment is out there to do it and has been for many years.

With credit card details being included within suggested secure apps for UICC cards, it is not difficult to imagine a rogue poll and de-tanking event occuring that goes unnoticed because it appears like the modern unobtrusive location updating procedure or another procedure and the user may only know about it after the data is missing.

Should that event happen it is what is termed as a "Mobile Cybercrime". The relevance being, making use of the singular term cybercrime as a title is highly misleading because you need a science and an operable technology in which the event needs to activate and commission. Mobile communications is a science and a technology (a damned fine science and technology they are, too).

Transparent EF: an unformatted data field; containing a sequence of bytes that can be accessed individually or in variable length.

Linear Fixed EF: Formatted data field with records that all have a constant length

Cyclic EF: Formated data field derived from a linear data field with constant length

From these EFs the data commonly acquired are identities and records such as IMSI, Phonebook, SMS, Location Information etc, to name but a few. The structure and type of content allocated to unformatted and formatted EFs above, has remained fairly constant with ETSI, GSM and 3GPP standards.

Evidentially, of course, examiners are often focussed on merely obtaining the content of a particular EF with reliance placed entirely upon the SIM/USIM reading tool to process that objective. Due to limitation in applied attendance time (and whatever the causes might be for that) means the examiner rarely scratch the surface to comprehend the coding of the commands that are issued when selecting an EF etc (and the subject will be discussed in a later tutorial). However, prior to selecting an EF there is important information that needs to be known about how elementary files and their life cycles are created in the first place and their associated file templates. This tutorial therefore provides a brief looks at what is involved in creating an EF and some help hints for examiners relevant to forensics.

Why would this be of interest to examiners? Without a created EF there would be no EF to select in the first plus thus ultimately no data to be extracted and harvested. Where examiners are dealing with illicit data couriers (the cybercrime paradigm, industrial espionage, terrorist data etc) these intelligent bandits are demonstrating that they are as competent to a degree that is can be said to be equal to or more advanced than examiners and naturally they to outwit and seek to hide information in elemetary files that avoids detection by standard evidence SIM/USIM reading tools. So both these point represent reasons for examiners understanding how EFs are created and what can be revealed from knowing the templates and coding of the commands for that purpose.

It should be understood that technical advancements and technology evolution have not been without their impact on ICC/UICC and therefore when starting out it is important that examiners have awareness about the evolving standards that should be considered and effort that should be made to comprehend the instructions in them. The standard I have choosen for this tutorial is TS 102 222 Administrative Commands for telecommunication applications as this is the standard that defines creating EFs on ICC and for UICC, too.

Reference to ICC/UICC is intended to mean elementary files that are created etc on them and not the OS, physical or some logical aspects of ICC/UICC.

To start with the two versions of the same standard for this discussion have been used and are identified below. I should point out there are over 26 different versions of this particular ETSI Standard.

The first point to note is the inclusion of additional elements in the later version of the standard and the re-ordering of the template. This example will hopefully and immediately illustrate why SIM/USIM readers obtain different bits, nibbles and bytes in the hex string and content of SIMs/USIMs. Or said another way, the omission to extract and harvest data from SIMs/USIMs

The second point to be learned from the finding above should lead examiners to question: which adopted standard is the format of the EF recorded on the ICC/UICC under examination? The only way you will know that is to identify the template to which the EF has been coded. Each brand name manufacturer has there own tools to obtain the coded template information but there are several application vendors out there that also produce third party software.

Prior to obtaining software examiners need to have some indication how template data can be illustratring for coding purposes, which shall be dealt with in the next tutorial.

Thursday, November 25, 2010

How to send self deleting SMS according to a computer hacking website that reports "thistechnique is called SAFE-TEXT. It's a technique where a message destroys itself after being read."

Before proceeding further there are several matters worth mentioning.

Sent flash SMS text messages are not automatically saved and thus delete after opening and closing the message, irrespective of whether the receiving party actually peruses the content or not. It is a technical mechanism included in the technical realisation of GSM and WCDMA. A flash message is technically referred to as a Message Class: Class 0. For a further discussion of flash messages see: Disappearing Sms Text Messages

Fairly recently I wrote about automatic deletion of text message, An app that can be installed on certain mobile phones and attribute a timer to received messages set to the length of time the message can be stored. That particular discussion though related to the fact of texts being stored inside the application and encrypted so would be outside of the scope to extract and harvest data by handset readers that generate evidence: Mobile Telephone Evidence Newsletter MTE_Vol7_MTE02_2010

Another option for automatically deleting text messages and a common feature found on smart phones is 'validity period' (not to be confused with 'validity period' for transmission/reception of SMS text messages) where the smart phone user or controller of it sets a storage clear out time for saved text messages or a security policy is set or triggered deleting stored text messages.

In each of the cases above at no time is there any suggestion of something illegitmate occurring or the desire to generate something potentially illegal. Thus, full-circle, we return to SAFE-TEXT. Instead of the actual text being sent to the target user's handset and self deleting thereafter, the recipient is supplied with a mobile internet link and visiting the website clicks the message which can then disappear within seconds. It is not clear, because I haven't tested it out as I only learned of this matter yesterday, whether the web browsing cache in the handset caches the complete activity of the mobile viewed webpage, which may provide an option to replay the message. The full extent of anonymity with SAFE-TEXT is not clear either because a user must "register" for the service and "2. If you’re the sender, the message will show your name and number." No doubt we will learn of reports that will confirm if this is a menace service or not.

Called the "Truth in Caller ID Act of 2010" the legislation (HR 1258 Report No 111-461 / Union Calendar No 264) amending the Communications Act 1934 makes it illegal in the US "to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive."

Tuesday, November 16, 2010

1) How many 'evidence' handset reader tools can you name off the top of your head?
2) And how many of those tools extract and harvest data from iPhones?

In answer to question one we know we can at least identify thirteen (13) tools and the answer to question two is also at least thirteen (13) tools. The answers can be found in 'iPhone Forensics White Paper' published by viaForensics. The authors of the document are Andrew Hoog and Katie Strzempka.

The number of tools now available and sold into the marketplace is a bit of surprise because in most cases a large portion of the forensic community do not own one copy of each of these tools as it is not strictly necessary. It is quite useful, though, to see a report like this that brings together at least 13 tools so that there is a record of the existent of these tools and how they are viewed in relation to their usefulness.

What I like about this report is that it is produced entirely independent of any of the handset reader software manufacturers and the authors/publishers were not compensated in any way for the work and effort that went to researching and testing each tool. I should also point out that I am not being compensated in anyway either for mentioning the researchers/publishers or this White Paper.

I wont spoil the fun for you of reproducing the findings and results recorded in the White Paper, but you can read about them for yourself at the weblink below:

Wednesday, November 10, 2010

In the Christian religion, and I put my name down as one who believes, there is a poignant, moving verse in New Testament, St.John, 15:13:

"Greater love hath no man than this, that a man lay down his life for his friends"

That testimony is the tribute we pay to all of the brave who were remembered at the Field of Remembrance in Wiltshire, yesterday.

The Wiltshire Times reported memorable coverage of yesterday's Service and Days Events. Their online contribution can be read at the link below:

http://www.wiltshiretimes.co.uk/news/3816788.A_field_of_remembrance/

Poppies and Heroes - get involved......

Each year I run the Poppies and Heroes reminder appeal. Those who lose their lives in service of our country, they are our boys and girls, sons and daughters, brothers and sisters, our family. Where we expect them to protect us, it is a small return of our duty to their families that when their lives are lost we remember, we share and we console so that their mothers and fathers know we stand with them, beside them, in their loss.

Tuesday, November 09, 2010

I have endeavoured to be free with sharing knowledge and information over the years through my blogs, but given the changing economy, UK and global events and advancements in forensics the nature of the technical content, new developments and examination techniques and legal information will only be accessible to approved law enforcement personnel, security specialists and authorised individuals. The following blogs are now approved access only:

Cell Site Analysis
http://cellsiteanalysis.blogspot.com

Forensic examination and evidence from SIM an USIM
http://sim2usim.blogspot.com

Forensic examination and evidence from Mobile and Smart Phones
http://forensicmobex.blogspot.com

Mobile Telephone Evidence (http://trewmte.blogspot.com) will of course remain an open.

Monday, November 08, 2010

I got a text message today (08/10/10) from Orange informing me "Now you can pick up a signal from both the Orange and T-Mobile networks....."Further information about this is available at the weblink below:

https://kareena.orange.co.uk/share/

Call and text in even more places

Now you can pick up a signal from both the Orange and T-Mobile networks in the UK which means that you can call and text in even more places.

Your phone will use T-Mobile signal if it doesn't pick up an Orange signal

Your charges stay the same when you use T-Mobile signal

Nothing else will change, you'll just get more network coverage

There will be an impact on investigation and evidence. I have raised some additional observations in the discusssion " CSA and seamless roaming" at:

UK seamless roaming on the H3G to O2 and H3G to Orange always added further dimensions needing to be investigated when conducting cell site analysis (CSA). However, with Orange's announcement today (08/10/10), sent by text message to its customers, will mean extending seamless roaming investigations now to Orange and T-Mobile too.

https://kareena.orange.co.uk/share/

Call and text in even more places

Now you can pick up a signal from both the Orange and T-Mobile networks in the UK which means that you can call and text in even more places.

Your phone will use T-Mobile signal if it doesn't pick up an Orange signal

Your charges stay the same when you use T-Mobile signal

Nothing else will change, you'll just get more network coverage

This provides further corroboration that simplifying investigations and not spending the appropriate time conducting radio tests and cross-referencing to the appropriate network records can lead to erroneous findings and reported flawed opinions to the client and court.

Sunday, November 07, 2010

Members at the Institute for Digital Forensics (IDF) Group at LinkedIn (http://www.linkedin.com/) we are discussing the creation of an ISO 17025 Toolkit and assistance that might be offered by other QA standards.

You will need to be an approved but free to join participant of the Institute's IDF Group to gain access to the materials.

Thursday, November 04, 2010

US analysis of the use of email, websites, Instant Messages, Twitter, Facebook and other online resources to torment, harass and/or embarrass other children – has become an increasingly common phenomenon in American schools. The emotional injuries – and the occasional suicides – attributed to cyberbullying have led some to call for making cyberbullying a crime in and of itself.

This article analyzes the arguments for and against creating a new, “cyberbullying” offense. It argues that existing criminal law can adequately address cyberbullying when the “harm” it inflicts rises to the level that warrants the use of criminal sanctions; it also argues that the residual instances of cyberbullying which do not qualify for the use of criminal liability are better addressed by other, non-criminal means.

Wednesday, November 03, 2010

Wonder how we will handle the examination of this beast? Which profile will need to be read first? Will the handset have different profiles? Will each SIM have its own password? There are so many question this news story raises. Previous experience has shown care is needed with handling the examination of handsets containing two (dual) SIMs (http://sim2usim.blogspot.com/2008/11/cloning-test-sim-cards.html).

Spreadtrum Announces the World’s First Single Chip Quad-SIM Standby Solution The SC6600L6 allows four GSM SIM cards simultaneously running on standby mode with only one set of baseband and RF. It integrates a processor engine and controller for supporting quadruple SIM cards and has an improved graphic user interface for Quad-SIM. The product supports different multi-SIM options, including dual SIM, triple SIM, and Quad-SIM in a single set of baseband and RF chip, provides more choices to handset designers and meets need of users from different regions.

Tuesday, November 02, 2010

Back in 2002 I wrote about SIM Card Cloning for examiners to demonstrate the state of the market place, where software and hardware was being openly promoted that researchers could obtain and what might an examiner be exposed to when examining a cloned SIM Card. A copy of that report can be downloaded here:

In 1998 I circulated a report (UPD5-1 Vol1 - FEN98) on Smart Card Hacking to members of the British Association of Criminal Experts (BACE). The archive report has been scanned page by page and put into acrobat.pdf format and can now be downloaded here:

The smart card hacking report has an interesting description for classification of the various levels of criminal activity in addition to techniques of smart card hacking. This particular report was the one that inspired me to write about SIM Card Cloning for exmainers. Once again thanks and respect to Ross Anderson and Markus Kuhn.

It is important to consult the laws of the country you are in when dealing with research for cloning SIM Cards. This blog article does not promote or advocate anyone to break the law by cloning or attempting to clone SIM cards for the purposes of obtaining services or breaching property rights belonging to respective particular network operators etc.

Monday, November 01, 2010

Heine, G; referred to the model "An MS performs LU on several occasions: every time it changes the location area, periodically, when a periodic location update is active, or with IMSI attach/ detach switched on at the time when it is subsequently turned on again."

That statement minimises, thus hides, a considerable body of mobile activity and, importantly, cell site analysis (CSA) suffers when students and practitioners fail to take into account the importance in the depth of knowledge and understanding that is needed to include the important facet of Location Update when conducting CSA. The following may assist students and practitioners with a simplified operational background as to events when Location Update (LU) takes place:

The MS requests a control channel from the BSC. The BTS decodes the CHAN_REQ, calculates the distance MS«BTS (timing advance), and forwards all this information to the BSC. Please note that the CHAN_REQ already indicates which service the MS requests (Location Update, in this case).

After the CHAN_RQD is received and processed, the BSC informs the BTS which channel type and channel number shall be reserved (CHAN_ACT).

The BTS confirms with a CHAN_ACT_ACK that it received and processed the CHAN_ACT.

The BSC sends the IMM_ASS_CMD, which activates the previously reserved channel. The BTS sends this information over an AGCH to the MS. The MS finds “its” IMM_ASS_CMD by means of the request reference, which is already contained in the CHAN_REQ.

Layer 2, the LAPDm connection is activated only now. The MS sends a SABM to the BTS, which (differently from LAPD) already contains data (LOC_UPD_REQ in this case).

The BTS confirms that a LAPDm connection was established by sending an UA message, which repeats the LOC_UPD_REQ.

The BTS passes LOC_UPD_REQ to the BSC. Although this is a transparent MM message, the BSC still processes the LOC_UPD_REQ in parts, because the BSC amongst others, requires the Mobile Station Classmark information. The BSC packs LOC_UPD_REQ, together with the current LAC, and CI into a CL3I message (Attention: the LOC_UPD_REQ from the MS contains the old LAC!) and then sends this within a SCCP CRmessage to the MSC. The CR message carries not only the LOC_UPD_REQ to the MSC, but also requests establishment of an SCCP connection.

If the MSC is able to provide the requested SCCP connection,then the CR is answered with a CC. A logical connection from the MS to the MSC/VLR exists from this point in time on. The MSC/VLR answers the LOC_UPD_REQ with an AUTH_REQ This message is conveyed to the BSC via the established SCCP connection.

BSC and BTS transparently forward the AUTH_REQ to the MS. Most important content is the random number parameter (RAND). The MS (more precisely the SIM) calculates the result SRES by feeding RAND and Kj into the algorithm A3, then transparently sends SRES in an AUTH_RSP message to the MSC/VLR. The VLR compares SRES with the value provided by the HLR.

The MSC/VLR switches on ciphering, if the result from the authentication is correct. For this purpose, the MSC/VLR sends information to both, the MS and the BTS.

The BTS extracts its part form the ENCR_CMD message, which is Kc and sends the rest in a CIPH_MOD_CMD message to the MS. The CIPH_MOD_CMD message only contains the information, which cipher algorithm (A5/X) shall be used. The MS confirms, by sending a CIPH_MOD_COM message that ciphering was activated.

If Equipment Check is active, then the MSC/VLR requests the MS to provide its IMEI. This is done in an IDENT_REQ message, which is transparent for the BSS. Please note that the IDENT_REQ message also allows to request the TMSI or the IMSI. The equipment check may be performed at almost any time during the scenario, or in other words, is not tied to this place of the scenario.

The MS transparently transmits its IMEI in an IDENT_RSP message to the MSC/VLR, where it is checked by means of the EIR, whether that equipment is registered stolen or not approved.

The MSC/VLR assigns a TMSI, which is used instead of the IMSI in order to make tracking of subscribers more difficult. TMSI_REAL_CMD is also a transparent message between MSC/VLR and MS. The most important content of this message is the new TMSI. Please note that the assignment of a TMSI may also take place at the end within the LOC_UPD_ACC.

The MS confirms with a TMSI_REAL_COM that the new TMSI was received and stored. If the new TMSI is assigned with a LOC_UPD_ACC, then the TMSI_REAL_COM is obviously sent only after the LOC_UPD_ACC.

Sending of the transparent LOC_UPD_ACC message confirms that the MSC/VLR has stored the new Location Area (LAI). This concludes the Location Update process. The control channel that was occupied on the Air-interface has to be released, after the Location Update scenario has ended. For this purpose, the MSC sends the CLR_CMD message to the BSC. The BSC passes this command in a CHAN_REL to the BTS, which passes it to the MS. By sending a DEACT_SACCH, the BSC requests the BTS to cease sending of SACCH messages (SYS_INFO 5/6).The MS reacts on receiving a CHAN_REL message by sending a DISC (LAPDm).

This requests from the BTS to release its Layer 2 connection. The BTS confirms release of the Layer 2 connection by sending an UA message. Towards the BSC, the BTS confirms release of the Air-interface connection by sending of a REL_IND message. The BSC forwards this acknowledgment in a CLR_CMP to the MSC. The BSC requests the TRX in a RF_CHAN_REL to release the occupied resources on the Air-interface. RLSD requests release of the SCCP resources.

RF_CHAN_REL_ACK confirms release on the Air-interface. RLC confirms release of the SCCP resources.

Saturday, October 30, 2010

Back in 1997 the journailist Michael Fleet wrote in the Daily Telegraph Tuesday May 6th about a report that I had written calling for mobile phones to carry warning signs informing users about the dangers of using a mobile phone whilst driving - copy of the newspaper article is here:

http://www.4shared.com/document/yGHb13t3/Mobile_Warning_Signs.html

At the time of my report it was made following the case of the first prosecuted case of death by reckless mansalughter caused by driving whilst the driver was using a mobile telephone in which I was the prosecution mobile telephone expert. The deceased injuries sustained from that RTA were horrific and therefore my call for warning signs on mobile phones had purpose. As digital mobile communications was still a young, growing industry in the UK in 1997 my idea didn't find much favour because of the econimic and political climate back then.

I read an article in September 2010 titled "US official wants 'distracted driving' label on cell phones, reported by Karin Zeitvogel (AFP) – Sep 21, 2010" that in essence suggests a similar approach to the one I made 13 years earlier. The article is here:

US official wants 'distracted driving' label on cell phones:http://www.google.com/hostednews/afp/article/ALeqM5ht1T9FoPDKuWpPlBLwMls3XI7ntQ

I wonder if as the person making the challenge this time around is a US government official (US Transportation Secretary Ray LaHood) raising the topic his idea will find favour or will the suggestion fall on deaf ears and not find favour?

One exciting aspect about forensic examination of mobile handsets is the constant exposure to innovation and change in the variety of handsets with which we are exposed, sometimes on a daily basis. Legality and privacy are two imposing factors when in comes to dealing with content on mobile phones and the right of access. Where PIN and/or Password is not revealed by the suspect, authority is needed to continue to gain access to a device in order to reveal content.

Passwords/PIN are commonly alpha-numeric digits and there are ways and methods of dealing with those. When Android introduced symbol based password options for their handsets, this feature added a new dimension an examiner had to cope with during the examination process. Now there is a new development to deal with, created from an EU funded project, MOBIOproject. MOBIO stands for Mobile Biometry. More on this subject.........

Thursday, October 28, 2010

Regular visitors to my webblog are already aware, however if you are a first time visitor you may care to know that I am not simply involved with forensics and evidence for over two decades but that I am also an active campaigner to bring to the fore and make revelation about the amazing world of mobile communications and the very poor promotion of its incredible historical roots, not just in scientific discovery but as an advanced technological communications masterpiece, also.

Here is another interesting piece of information that recently emerged, recorded in the Daily Mail online:
http://www.dailymail.co.uk/sciencetech/article-1324132/1928-Charlie-Chaplin-film-mobile-phone-time-travelling-mystery.html

Tuesday, October 19, 2010

We had a short discussion recently about "cyber" labels and their meanings. The wave that has been engulfing society for the last decade, driven by Psychology "with everything" NNNOOOOWWWW!!!! and the use of 'label-ism' phenomenon to influence us that we need/must have/do something, is now causing much confusion.

Cybering was discussed, done and dusted, in the late 1990s early 2000, thus cybering has not just occurred as a new phenomenon. Label-ism, in the case of cybering, isn't helping its cause either when announcing cyber threats to the UK or the World (for that matter) where mistakes in the use of definitions are publicly announced. It wont help the security services to do their job - protect the Realm - if society doesn't understand what the heck is discussed. There must be a drive from top Government (David Cameron top table people) to make a substantive effort to clarify label-ism when discussing publicly threats we are led to believe are imminent.

Discussing cyber defintions with Simon "Si" Biles, the security specialist at Thinking-Security dot com, he offered these descriptions assigned to their labels identifying possible security threats that might be engineered from within cyber space:

"There seems to have been a general mixing of the terms : cyber-warfare, cyber-terrorism & cyber-crime : the news, as is oft the way with things they don't/can't/won't understand, interchanges them without consideration.

"cyber-crime is no better or worse than it has ever been, phishing, cracking etc. are much the same as allways - there are highs and lows, but nothing particularly extreme. Of course these figures are allways exagerated by the number of crimes that are committed that have a computer used in their research/planning/excecution - but this isn't cyber-crime anymore than stealing a knife is "knife crime".

"cyber-terrorism, to take the traditional use of the word "terrorism" ( or arguably "freedom fighting" depending on where you are standing ) is the "guerrilla warfare" of the computer world - denial of service, defacements etc. For example the "Anonymous" attacks on the Copyright crowd. Where this "terrorism" impacts on the general public is few and far between - a denial of service against a particularly greedy bank might impact on a few, but in real terms, this doesn't, and is unlikely to, create problems on the scale or magnitude of a traditional terrorist attack. And again, this has been going on, much of a muchness for sometime - highs and lows - usually associated with world events - but predominantly from individuals or insignificant groups.

"cyber-warfare is a bit different, and, really hasn't been seen except in Georgia - and even then, although that was suspected to be from Russia, that was never really proved - it could as well have been from a reasonable size hacker group just stretching in a country where there was little chance of prosecution or repercussion. I guess what Greg is suggesting above is probably the worst case scenario where the internet is compromised in some way that means that businesses can't communicate funds transfers - e.g. PoS - in reality though, as "the internet" is built on a wide variety of technologies ( from many and varied manufacturers ) and is designed to be resilient in the case of nuclear war ( or not ... http://en.wikipedia.org/wiki/Arpanet#The_ARPANET_under_nuclear_attack ) the chances of "taking out the internet" for a given country are fairly limited in a cyber-warfare scenario. Infact you'd stand a better chance of taking out the internet in the UK with some more traditional arson against certain backbone sites ...

"It is this, final, threat that is both having it's bandwaggon jumped on and is being blown out of proportion. Like most things - it's exciting, so it gets a lot of press - you are more likely to be burgled, have your car stolen, be involved in a hit & run or have your pocket picked than you are to be a victim of cyber-crime. Even Identity Theft ( which is portrayed as cyber-crime) is considerably easier to achieve through a dust-bin sift than a computer. Cyber-terrorism ? I'd be delighted to sell "cyber-terrorism" insurance to anyone who wants it ! "

The term 'Cyber' has been discussed above in context with types of threats that could be generated using it. The discussions above do not rule out or suggest that cyber is or could be put to good use too.

Tuesday, October 12, 2010

If there was a public stand and famous people such as Simon Cowell, Cheryl Cole, Louis Walsh were stood on it promoting X-Factor no doubt crowds would pack around the stand listening adoringly to these famous people. Should we really need fame in our immediate presence then to pay the same equal attention when two ordinary non-famous people publicly speak about those who oppress, create mental fear and inflict physical pain and suffering?

Walking in the Surrey town of Dorking today in the area of an open air arcade there was such a stand and two women were there promoting help for those that have or are suffering from Domestic Abuse. No crowds thronged to stop and listen to their message. These two women represent relatively the unheard in our society who speak out on Domestic Abuse and the help that is available. They are the people who give their time freely and rarely get recognised for what they do. Well done to the two women I saw and spoke with today; one who outlined cultural domestic abuse and another an off duty Surrey Police Officer giving up her time to get the message out and familiar with Abuse crimes that she encounters during her work. Victims, I learned, can be women, children and men caught up in a cycle of abuse in relationships who may feel trapped and unable to speak out or speak up for themselves. Men, I understand, don't speak up because they feel too ashamed to tell anyone.

The statistics for Domestic Abuse crime in the UK makes very sad reading indeed and why I wanted to make this small contribution to help by offering to mention the Groups and their contact points where victims can go, get help and seek advice. All enquiries are in complete and strictist confidence.

If you are a victim, don't suffer in silence. Even if you are unsure but just want to check out where you stand - these are very skilled people who can help, if you will let them.

Tuesday, September 28, 2010

Do you remember back in March I wrote the piece about "Mobile Phone outsourcing goes insourcing" ( http://trewmte.blogspot.com/2010/03/mobile-phone-outsourcing-goes.html ), well yesterday I was given a link to Kent Police website and to the webpage dealing with public meeting notes:

That is one heck of alot of money either way it is looked at for just one micro-section alone that overweights the scales on one side for public funds and yet when working as defence experts we have been systematically starved and drip fed minimal funding for the last 5 years. It could be quite laughable really (because the scales of justice are shown as balanced) if the times we are in weren't so dire. We will just have to wait and see how the new Government handles the way forward.

Monday, August 30, 2010

I am glad to see more and more information popping up on the Internet that identifies and reaffirms the exciting history of mobile telephones, originally called wireless telephones. I am and I believe I shall always be an advocate of this scientific technological advanced development. If there are details defining our science that can help people understand the history and future of mobile telephones then I want to know about it and let you know too.

In 2009 I set out historical reference relevant to mobile communications and telephones and in it referred to a particular important historical event, that being the first patented wireless telephone. "1908: Nathan B. Stubblefield invented and patented the first mobile telephone a 100-years ago." http://trewmte.blogspot.com/2009/01/mobile-forensics-and-evidence-degrees.html

A technological fact worth noting about Stubblefield's invention is that it did not make use of a computer central processing unit (CPU) which was not invented in 1908 and was many decades away. Thus mobile telephones were scientifically and technically defined then, as they are today, by the science with which the devices are intended to make use - wireless (radio signals)/telecommunications.

The Washington Post (February 20th 1910) ran a story of a development for wireless telephones to use an umbrella as an antenna and the thought that wireless telephones could be used for sending aerograms (a fore-runner idea to text messages) containing Valentine messages? http://www.paleofuture.com/blog/2007/5/29/your-own-wireless-telephone-1910.html

The aerogram idea would not be an idea that would be far fetched for 1910 given that previously technology was already in use for sending text messages. One hundred years on, I wrote in 2010 about Victorian Texting and its origins. "Victorian Texting was made possible with the use of the Wheatstone's ABC Telegraph originated in 1842 developed by the English physicist and inventor Sir Charles Wheatstone (1802-1875)." http://trewmte.blogspot.com/2010/01/victorian-texting.html

Wheatstone's invention of 1845 may fit with the notion for the possibility in 1910 of an aerogram (instead of a telegram) to be communicated over-the-air and again re-enforces the point how the concept of features originating from telecommunications could be used with wireless technology.

Sixty years on from 1910 our common understanding of mobile telephones started to come to fruitition. In 1976 a design (see image above) for the first portable telephone, so we are told, was not far off the design of mobile handsets used in the 1980s. http://www.paleofuture.com/blog/2009/8/30/portable-telephones-1976.html

Through out the last century and up-to-date wireless telephones (mobile phones/smart phones) utilise a natural science that remains the kernal for and primary concept of mobile telephones that appears unchangeable position and that is mobiles use radio signals. Today we speak of cellular radio, but the natural waveform of radio signals is still analogue in nature, irrespective of the modulation treatment applied to the analogue signals. Mobile telephones today have analogue-to-digital (A/D) signal processors to convert the radio signal into a digital format. Naturally, mobiles equally use a digital-to-analogue signal prcessor. I guess the day mobile telephones no longer need or use radio signals for over-the-air communications then that is the day when when we might re-name them as smart electronic devices. Until then, mobile telephones are here to stay and, as far as I can see, for many decades to come.

Friday, August 13, 2010

I having been an advocate, as many of you know, for many years for the use in evidence of network operator generated analogue and digital cellular radio maps (eg best server plots/density maps & single cell prediction plots/density maps). That is because they are a composite compiled from collection of visible and discrete detail relevant to the operator's predication. They illustrate, if you will, a visual demonstration of a radio coverage strategy in an area. A recent US Case dealt with cell site maps as part of the evidence. The case of the US v Benford discussed by Law Professor Susan Brenner, at her webblog, makes interesting reading indeed:

Tuesday, August 10, 2010

I having been an advocate, as many of you know, for many years for the use in evidence of network operator generated analogue and digital cellular radio maps (eg best server plots/density maps & single cell prediction plots/density maps). That is because they are a composite compiled from collection of visible and discrete detail relevant to the operator's predication. They illustrate, if you will, a visual demonstration of a radio coverage strategy in an area. A recent US Case dealt with cell site maps as part of the evidence. The case of the US v Benford discussed by Law Professor Susan Brenner, at her webblog, makes interesting reading indeed:

Tuesday, August 03, 2010

Today, SMS (short message service) text messaging cellebrates its birthday. The service was technically created in 1985, however the use of this communications technological advantage containing the message "Happy Christmas" sent in the UK over the Vodafone network was not seen until the first was message was transmitted on 3rd December 1992.

The ubiquitous use of SMS generated global revenues, researched has shown, over $150 billion for 2009 and is forecast to reach $233 billion by the end of 2014, according to Sheri Wells of SMS Media Group.

SMS texting is used by the rich and famous, film stars, singers to the general populus and it is hard to think of anywhere in the world that hasn't used the SMS service. But there are Countries that do not have SMS currently. Do you know the names of those countries and what are their population sizes?

Today, SMS (short message service) text messaging cellebrates its birthday. The service was technically created in 1985, however the use of this communications technological advantage containing the message "Happy Christmas" sent in the UK over the Vodafone network was not seen until the first was message was transmitted on 3rd December 1992.

The ubiquitous use of SMS generated global revenues, researched has shown, over $150 billion for 2009 and is forecast to reach $233 billion by the end of 2014, according to Sheri Wells of SMS Media Group.

SMS texting is used by the rich and famous, film stars, singers to the general populus and it is hard to think of anywhere in the world that hasn't used the SMS service. But there are Countries that do not have SMS currently. Do you know the names of those countries and what are their population sizes?

Manufacturers have agreed to create a single one-size-fits-all power charger, thus the expectation of a standard PSU interface will be used. The approach is being applied to data-enabled mobile phones for models to be distributed in 2011 according to the EU, as reported by Business Week:

Saturday, July 31, 2010

Having specialised in the UK for many years dealing with deleted data and having published many papers on 'deleted content', 'deleted text messages', 'deleted data mobiles' and 'deleted data may not amount to possession' when this subject raises its head it is worth making a record of it for later discussion.

There are many aspects about deleted data that require to be considered in detail before making an allegation (Prosecution/Defence, Plaintiff/Respondent etc) and simply finding deleted data and saying well it is here let's use it is not always a good idea.

The details of an Australian criminal case reported recently involving recovered deleted data showed the content of a text message imported an entirely different context about an allegation of rape.

A MAN'S business and reputation are tainted, a young woman's HSC and mental health are in tatters and prosecutors have been ordered to pay more than $30,000 in legal costs for a bungled rape investigation on Sydney's northern beaches.

This case shows an example where deleted data can be effective. Past cases I dealt with are illustrative of what can be found in deleted data such as a daughter who accused her father of rape when in fact she didn't want to admit to having sexual relations with a boyfriend her parents knew nothing about. Or the case of a man's body that was found where a family stated they had never visited them, only to find a deleted photo of the man in their living room.

Thursday, July 08, 2010

Mobile market forecasts all predict the heavily reliance on GSM/3G/LTE and Mobile WiMax etc over the next 15 years. This is something I have been predicting for the last 10 years. Naturally, mobile forensics will need to play its part and hence the reason for the MTEB educational programme for students and experienced individuals.

Worldwide Mobile Subscriptions Forecast To Exceed Five Billion By 4Q-2010

Singapore -- ABI Research forecasts over five billion mobile subscriptions by the end of 2010, with an approximate 4.8 billion connections having been reached by the end of the year's first quarter. Much of this growth will be registered in developing markets in Africa and the Asia-Pacific region.

Africa remains the fastest growing mobile market with a YoY growth of over 22%. Mobile penetration in Asia-Pacific will rise significantly to 65% by the end of 2010. "This unprecedented growth is driven by India and Indonesia, which have together added over 150 million subscriptions in the past four quarters," comments ABI Research analyst Bhavya Khanna. "Falling monthly tariffs and ultra-low-cost mobile handsets have democratised the reach and use of the mobile phone, and aggressive rollouts by mobile operators in these countries will see the current rate of subscriber addition maintained for some time to come."

At the other end of the spectrum, developed countries in North America and Europe continue to add subscriptions despite already having crossed the 100% penetration threshold. Driving this growth in subscriptions are new mobile devices and the ‘third screen' - including netbooks, tablet computers, USB dongles and e-book readers. "The success of Apple's iPad 3G shows that even operators in saturated markets can add subscriptions by introducing innovative and user-friendly devices," says vice president of forecasting Jake Saunders.

In addition, the introduction of 4G data networks such as WiMAX and LTE will see more consumers ditch their cables and access the Internet through mobile broadband connections. Operators such as Clearwire in the United States and Yota in Russia have seen consumers turn to their networks as fast and mobile alternatives to fixed-line broadband.

Mobile market forecasts all predict the heavily reliance on GSM/3G/LTE and Mobile WiMax etc over the next 15 years. This is something I have been predicting for the last 10 years. Naturally, mobile forensics will need to play its part and hence the reason for the MTEB educational programme for students and experienced individuals.

Worldwide Mobile Subscriptions Forecast To Exceed Five Billion By 4Q-2010

Singapore -- ABI Research forecasts over five billion mobile subscriptions by the end of 2010, with an approximate 4.8 billion connections having been reached by the end of the year's first quarter. Much of this growth will be registered in developing markets in Africa and the Asia-Pacific region.

Africa remains the fastest growing mobile market with a YoY growth of over 22%. Mobile penetration in Asia-Pacific will rise significantly to 65% by the end of 2010. "This unprecedented growth is driven by India and Indonesia, which have together added over 150 million subscriptions in the past four quarters," comments ABI Research analyst Bhavya Khanna. "Falling monthly tariffs and ultra-low-cost mobile handsets have democratised the reach and use of the mobile phone, and aggressive rollouts by mobile operators in these countries will see the current rate of subscriber addition maintained for some time to come."

At the other end of the spectrum, developed countries in North America and Europe continue to add subscriptions despite already having crossed the 100% penetration threshold. Driving this growth in subscriptions are new mobile devices and the ‘third screen' - including netbooks, tablet computers, USB dongles and e-book readers. "The success of Apple's iPad 3G shows that even operators in saturated markets can add subscriptions by introducing innovative and user-friendly devices," says vice president of forecasting Jake Saunders.

In addition, the introduction of 4G data networks such as WiMAX and LTE will see more consumers ditch their cables and access the Internet through mobile broadband connections. Operators such as Clearwire in the United States and Yota in Russia have seen consumers turn to their networks as fast and mobile alternatives to fixed-line broadband.

Wednesday, July 07, 2010

Every student involved with and undertaking technology forensics studies or degrees wants to have some ideas for their thesis, about the various types of work in the field, market potential, employment possibilities and future trends. In reality all of the aforementioned separate entities, when understood as to their meaning, once brought together create one single evolved entity – YOU. This one-day student conference sets out various avenues for student exploration, observations and direction for student consideration. It is therefore a conference for the self-motivated, self-starter. The objective of the conference is to give students attending an edge in thinking about the avenues for developing future work and careers. Each Student attending will receive an MTEB Business Awareness Certificate; useful to add to the portfolio to demonstrate experience.

CONFERENCE CONTENT

Presentation 1 - IntroductionYou think you have a problem, and that is why you do..

Monday, July 05, 2010

A police officer switching ON a device that is already switched OFF at a potental crime scene should be an absolute no-no, according to Forensic bibles, case law etc. Indeed, even the Police's official release version of ACPO Guidelines categorically states for Crime Scenes Page 8/66:

"• Do not, in any circumstances, switch the computer on."

Why does this matter? It is a flagrant breach of that principle when we see on "Cops on Camera" ITV 3 Saturday 8pm 4th July 2010 patrol car police stopping a car in Lewisham, questioning the driver about drug related matters (ok, to this point) and then the officer opens the boot of the car and in it he sees a laptop. Did the officer put the laptop in an evidence bag? Oh no, he switches ON the laptop.

The programme clearly demonstrated a major pyschological flaw in the thinking of those who are generating evidential rules vis-a-vis evidential standards. The actions of the Police officer, who I do not think is to blame, actually, because you see the way he went about the task displaying little regard for the rules - which probably means he doesn't know them or they are not enforced properly.

Moreover, it certainly highlights the redundancy of ACPO Guidelines, because what is the point of promoting good practice principles and expect them to be followed in the Lab and at Scene of Crime, yet when it comes to devices in cars or people walking along the street with devices then a wild-west approach of anything goes to deal with the evidence occurs.

Furthermore, it undermines s129 Criminal Justice Act 2003 reliability to seek overt declarations of change to data by ignoring the use of this wild-west approach and reduces the reliability of evidence to nothing more that speculative assumptions. This certainly reveals the slippery slope Lord Steyn raised when as Steyn HHJ R v Minors [1989] 1 WLR 441 he said “if computer evidence cannot be used, much crime would be immune to prosecution also”? For computer evidence to be used it has to be as reliable as possible, at first instance, and reflect the behaviour of the defendant, not the world and his wife who have also had a go at the computer.

Saturday, July 03, 2010

There is a considerable body of factual and statistical evidence defining the continuing and diversified growth of wireless communications and the use of mobile/smart phone technology that underpins the reason for launching the course "Fundamentals & Principles, Mobile Phone Programming" (http://trewmte.blogspot.com/2010/07/fundamentals-principles-mobile-phone.html).

Here are links to a number of examples of growth and diversification in the mobile phone marketplace:

Friday, July 02, 2010

At the MTEB Conference 2009 Greg Smith TrewMTE stated that the MTEB would launch a series of new courses in 2010 to help improve skillsets, increase knowledge and experience, help galvanise the industry, generate a body that represented our industry and demonstrate ways forward as to marketplaces. Given the current economic climate and public sector cutbacks MTEB has brought forward the launch of the courses with Cell Site Analysis Fundamentals announced recently here and at Forensic Focus and today the launch of FUNDAMENTALS & PRINCIPLES, MOBILE PHONE PROGRAMMING. This new course is to assist those who want to extend their working boundaries, introduce new work to their company or move on from evidence in criminal cases and see the world of mobile phones in a different perspective.

The skilled mobile phone examiner demonstrates his/her understanding of mobile phones not merely from data that s/he has acquired, for that can be relatively simple, but by illustrating his/her understanding of a mobile phone’s capability. For instance, how does the programming language relate to evidence? What does the keypad tell us? How do we know photos get stored in the Image Folder? File sharing, is that possible? Can mobile phone programming skillsets be used in private and commercial business? What about IP infringement or industrial espionage - are mobile phones used? Remember that forensic techniques are not solely applied in criminal matters but in many other areas too! This course can help get you started in new working environments.

Monday, June 21, 2010

A snippet of information I recently noted that was interesting related to the recyclicable gold used in SIM Cards. It is said that although the thickness of gold is measured in microns, a generalised (perhaps inaccurate) comparison that has been made is that it would take the gold leaf removed from at least 500,000 recycled SIM Cards to make one gold ring. Thought provoking comparison perhaps, but it tells us nothing about the real weight of the gold used for each SIM Card and nothing about the gold's purity either.So don't give up work just yet.

A snippet of information I recently noted that was interesting related to the recyclicable gold used in SIM Cards. It is said that although the thickness of gold is measured in microns, a generalised (perhaps inaccurate) comparison that has been made is that it would take the gold leaf removed from at least 500,000 recycled SIM Cards to make one gold ring. Thought provoking comparison perhaps, but it tells us nothing about the real weight of the gold used for each SIM Card and nothing about the gold's purity either.So don't give up work just yet.

Mobile Phone Forensic Examination

Greg Smith has over 30 years (1985 to 2016) experience in handling digital and mobile telephone evidence in criminal and civil investigations and providing services to blue-chip clients in the UK. Our unit the DEEU conducts acquisition and harvesting of data from: